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(54) Title: SECURITY CODE INPUT 
(57) Abstract 

A security code entry method is provided for restricting 
access to a computer-based system having a processor (30). 
a display (32), and user input means (34. 36) arranged to 
move an indicator (38) about the display under user control. 
When access is required the user is presented, via the display, 
with a display pattern (26A) comprising a start point (S) and 
a number of target points, with the security code comprising 
^ P'^«^c""*ned sequence of the target points. To enter 
the code, the user is required to move the apparent position 
of the indicator (display of which is inhibited) through the 
predetermined sequence of target points. The layout of the 
target points (26 A) may be changed after each attempt to enter 
the code, and the code itself may be carried in a sequence of 
arrangements of target points. 
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DESCRIPTION 

SECURITY CODE INPUT 

The present Invention relates to methods for security coding and 
in particular to a method for restricting access to a computer-based 
system having a processor, a display, and user input means arranged to 
move an indicator about the display under user control, the method 
requiring correct entry by the user of a predetermined security code as 
a prerequisite to access. The invention also relates to an apparatus 
having such restricted access. 

As networked computer services of various kinds become 
increasingly common, there will be many more situations where a user 
is required to provide some form of security identification to the service 
in use. Examples include a personal identification number (PIN) for a 
banking transaction, an account code or a credit card number for a 
home shopping service, and a password or other conditional access 
code for on-line information. At present, the most commonly-met user 
identifications are PINs keyed into cash machines via keypads, and user 
passwords typed into computer systems via keyboards. These methods 
require a set of physical numeric or alphanumeric keys which can be 
operated in a secure manner, without revealing the PIN or password to 
other people in the vicinity. 

A similar level of security needs to be provided for services where 
all user interaction takes place by moving a cursor or other indicator 
around a menu screen and selecting menu entries as indicated. At the 
simplest level, the user input may comprise a simple XY pointing device 
with a small number of buttons (maybe only two). An example of this 
would be a CD-i (Compact Disc - Interactive) player connected to a 
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public data network with a remote control being used to purchase films 
offered by a Video on Demand service through the network. 

It is an object of the present invention to provide the user with 
a convenient yet secure way of communicating a secret access code to 
a computer system just using a pointing device and a visual display. 

In accordance with the present invention, there is provided a 
method for restricting access as set forth in the opening 
paragraph,characterised in that; 

the user is presented, via the display, with a first pattern 
comprising a start point and a plurality of target points arranged related 
thereto, and the security code comprises a predetermined sequence of 

the target points; 

the user is required to move the indicator through the 
predetermined sequence of target points whilst display of the indicator 
is inhibited; and 

on determining that the indicator has been moved through a 
sequence of target points, an indication is provided to the user if that 
sequence does not correspond to the predetermined sequence. 

Preferably, the first pattern (which may simply comprise a grid 
arrangement of alphanumeric and/or graphical symbols arranged around 
the start point) further comprises an end point, with the determination 
that the indicator has been moved through a sequence of target points 
occurring when the indicator is moved by the user to the end point. 
Where the user input means is operable to select items on the display 
when indicated by the indicator, correct entry of the security code may 
further require selection of a predetermined one or ones of the target 
points in the predetermined sequence. 

To increase security, for one or more target points of the first 
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pattern, selection of (or placing the indicator on) that target point may 
be specified to cause the first pattern to be changed to a second pattern 
of target points: this may be extended to bring a change to a third 
pattern from the second, a fourth from the third and so on with, in the 
5 extreme, the pattern being changed for each indicated or selected target 

point of the sequence, and with only one correct target point in each 
pattern. The changed pattern may comprise the respective target 
points of the preceding pattern rearranged on the display, or it may 
include one or more target points not included in the preceding pattern. 

10 With such a system of changing patterns, each pattern preferably 

includes a start point and, on changing from the preceding pattern, the 
indicator is preferably positioned at the start point of the new pattern. 
As a further security precaution, the target points of the first pattern 
may be repositioned for each successive attempt to enter the correct 

15 sequence. 

In order to enable a user to cancel an attempt (for example if the 
user becomes aware that he/she has made a mistake in following the 
sequence) an escape point is preferably provided, the selection (or 
indication) of which restarts the users sequence input. Where only a 
single pattern of target points is provided, such escape may be provided 
by returning the indicator to the start point after commencing the 
sequence. 

Also in accordance with the present invention there is provided 
a computer-based apparatus having access restricted by the method of 
25 the present invention, the apparatus including a target point store 

holding data specifying the respective locations of the target points on 
the display; a security code store holding at least one security code; 
first comparator means arranged to receive an identification of current 
indicator position, compare this with the target point location data from 
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the target store, and output an Identification of a currently indicated 
target point; and second comparator means arranged to receive a 
sequence of the identifications from the first comparator means, 
compare that sequence with the code in the security code store, and 
5 output one or more signals indicating whether or not there is a match. 

Suitably, the target point store holds a plurality of target point 
arrangements and the apparatus may further include a pseudo-random 
selector arranged to select which target point arrangement is displayed. 

,0 Further features and advantages of the present invention will 

become apparent from reading of the following description of preferred 
embodiments of the present invention, given by way of example only, 
and with reference to the accompanying drawings in which: 

Figure 1 is a block schematic diagram of a networked CD-i 
16 system embodying the invention; 

Figure 2 is a block schematic diagram of a games system console 

embodying the invention; 

Figure 3 schematically represents a code storage and comparison 

stage embodying the invention; 
20 Figure 4 shows a first arrangement of screen targets; 

Figure 5 shows a modified version of the arrangement of Figure 

4; and 

Figure 6 shows a sequence of target arrangements according to 
an alternative embodiment of the present invention. 

A first arrangement of apparatus in which the security scheme of 
the invention may be employed is shown in Figure 1 . A CD-i player 1 0. 
connected to display on a television screen 12, is coupled (via link 14) 
to a consumer data network under control of network server 1 6. The 



DOCID: <WO 96181 39A1J„> 



wo 96/18139 



5 



PCTAIB95/01035 



network server 1 6 is configured to provide services to users such as 
Video on Demand, in which the user may select from a menu of 
available feature films which are then downloaded to the CD-i 1 0 over 
the data link 14. 

5 Selection from an on-screen menu of available films is made using 

a remote controller 1 8 of the CD-i which enables the user to control the 
movement (by up/dovvn/left/right controls 20) of a cursor or select bar 
22. A select button 24 is used to indicate that the choice currently 
marked by the cursor is the desired option. On receiving the selection, 

10 the network server 16 then requests the user to enter a security code 

via a displayed grid of targets 26 to confirm that the user is a registered 
subscriber to the service. 

An alternative system employing the target-based security code 
scheme is shown in Figure 2 comprising a computer games console 30 

15 with a display screen 32. The games console may suitably be of the 

type which accepts different games loaded as cartridges 34. Movement 
of a cursor 38 may be achieved by use of a joystick 36 or trackerball 
(not shown) and selection of a target from the displayed grid 26A is 
achieved by pressing the joystick "fire" button 40. In a 'stand-alone' 

20 application as shown, the coding scheme may be used to restrict access 

by minors to certain games, such as games having a highly violent 
content. 

The general form of interaction to enter security codes is as 
follows: 

25 1 . At the moment the service or device requires the user to 

input a code, a display will appear containing a pattern of visible targets 
and a start point. 

2. The XY pointing device will be used to move around a 
sequence of these targets already known to the user and corresponding 



V/O 96/18139 



6 



PCT/1B9S/01035 



to the access code. While this is happening, there is no visible 
counterpart (such as the cursor) on the display - the display is simply an 
alde-m6moire for the user. The cursor may remain visible until such 
time as the user has moved it from outside the pattern of targets to the 
5 start point but preferably the cursor would be automatically relocated 

to the start point and blanked simultaneously with the appearance of 
the target pattern. 

3. During movement of the "invisible" cursor, the user may 
need to press a button on the controller (for example the "fire" button 

10 40, Fig. 2), or the display may change spontaneously as the XY control 

is moved, as will be described below. 

4. Once the code has been communicated, an accept or reject 
response will be generated by the service. This may comprise a visual 
or audio indication or (for successful entry) this may simply be indicated 

15 by the granting of access. 

A storage and comparison stage for the code input technique is 
shown in Figure 3. This may comprise a dedicated hardware 
arrangement or the respective functions may be assigned to existing 
storage and processor devices of, for example, the CD-i player 10 or 
20 games console 30 of Figures 1 and 2 respectively. 

A target point store 42 holds display data and screen positions 
for a number of target point arrangements, with the particular 
arrangement displayed being selected by a pseudo-random selector 44. 
A first comparator 46 receives the x,y screen position of the cursor and 
25 compares this with the target point positioning data for the selected 

arrangement from the store 42 to determine which target point is 
current being indicated (which target the non-displayed cursor currently 
lies on). Where the operation requires selection (as in 3. above) the 
comparator may only carry out the current target point determination on 
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receiving a "select" command from the user input device. 

The sequence of target points identified by the first comparator 
46 is passed to a second comparator 48 which compares the sequence 
with a security code or one of a number of security codes in the form 
5 of target point sequences and held in a further store 50. When 

compared, the comparator outputs a match/no-match signal to indicate 
whether the user-entered code is accepted or rejected. 

The targets themselves can contain any sort of graphic relevant 
to the interaction. For numerical PINs, they would simply be the digits 
0 0 to 9; for passwords, a larger range of alphanumeric and/or graphical 

symbols could be provided. A helpful technique for the user is to 
provide pictorial symbols which the user cquld relate to a remembered 
- and fictitious - story. This could improve the probability of accurate 
recall by exploiting the power of visual memory, a technique used by 
5 memory "experts" is to convert names, numbers etc into pictures and 

sequences of pictures forming a storyline. 

For a numerical PIN, the display consists of a 2-dimensional array 
of numeric keys, with a "START" key and "END" key, as shown in 
Figure 4. The user "jogs" the XY control to move off the "START" key 
onto the first number of the code; this could take several movements, 
for example getting to the "9" target from the "START". In a basic 
implementation, the design would allow movement in the four main 
directions UP, RIGHT, DOWN and LEFT, or might also allow diagonal 
movements as well to give eight in all. The grid size and spacing is 
determined as integer numbers of "clicks" (depressions of the 
movement control) to give the user an accurate idea of where the 
cursor lies: where movement control is by continuous movement means 
such as a mouse, the size of the targets should be greater to give a 
greater probability of the cursor being in the space where the user 
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Intends it to be. Whenever a key is reached which corresponds to the 
next digit in the code, a button on the controller is pressed to select 
that digit as a part of the code. Completion is indicated by clicking on 
the "END" key or, if no specific "END" key is provided, on the last 
5 target of the sequence. If the user was conscious of making an error, 

clicking on the "START" key could clear the code and re-start. The 
layout shown in Figure 4 would provide 10" codes, where n is the 
number of digits in the code, and codes could be of arbitrary length. 
Where there is no select function, and the code is entered by simply 

10 moving through targets in a predetermined order, the number of 

possible codes is of course reduced by the adjacency requirement for 
the numbers in the sequence. 

To further improve the security, the system may be set up to 
rearrange some or all of the targets for each attempt to enter the code, 

1 5 as shown by Figure 5. A third party would then only be able to learn 

a users security code by observing both the movement instructions 
input by the user and the arrangement and identity of targets at that 
time. 

In a modified embodiment, the idea of changing target 
20 arrangements is extended to an Interaction using a sequence of choice 

patterns A, B and C, one for each symbol in the code as shown In 
Figure 6 for a three-target code. The user moves from the origin (start 
point) of the first arrangement A presented, to one of the eight 
surrounding pictures (targets). As soon as this is done, or following 
selection If required, the choice pattern is replaced by another B. and 
the user is re-positioned at the origin. In the replacement pattern, the 
existing targets may simply be rearranged (as with Figures 4 and 5), 
they may be partially replaced (transition from A to B), or they may be 
completely replaced (transition from B to C). 
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When relocated to the origin of the second pattern B, the user 
chooses a second picture by again moving off the origin. This sequence 
of moving from the origin and replacement of the pattern continues until 
the code is complete. The sequence of Figure 6 is only three pictures 
long; more would probably be needed in practice to give a greater 
number of possible codes. For the target layout shown, a sequence of 
n choice patterns would provide 8" possible (fixed-length) codes. 

As will be appreciated, variations on the above examples are 
possible. Any suitable layout of targets could be used, and the number 
of targets could be varied, as shown in Figures 1 and 2. It may even 
be desirable to repeat some of the targets within the layout, but if the 
selection of a particular one from a number of repeated targets is 
important, care must be taken when specifying rearrangement of the 
pattern (for example with two targets the same, it might be specified 
that the required one will always appear somewhere in the top row of 
a grid and the other somewhere in the bottom row). If the controller 
has two or more buttons which may be used to select, then the use of 
one or another button may be specified as a conditional feature when 
entering the code. Audio feedback could be provided so that the user 
knows they have made a valid movement; the important thing is that no 
visual effect should occur which could reveal the code the user is 
entering. 

From reading of the present disclosure, other modifications will 
be apparent to persons skilled in the art. Such modifications may 
involve other features which already known in the field of security 
coding techniques and apparatus, and component parts thereof and 
which may be used instead of or in addition to features already 
described herein. Although claims have been formulated in this 
application to particular combinations of features, it should be 
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understood that the scope of the disclosure of the present application 
also includes any novel feature or any novel combination of features 
disclosed herein either explicitly or implicitly, whether or not it relates 
to the same invention as presently claimed in any claim and whether or 
not it mitigates any or all of the same technical problems as does the 
present invention. The applicants hereby give notice that new claims 
may be formulated to such features and/or combinations of such 
features during the prosecution of the present application or of any 
further application derived therefrom. 



wo 96/18139 



1 1 



PCT/IB95/0I03S 



CLAIMS 

1. A method for restricting access to a computer-based 
system having a processor, a display, and user input means arranged to 
move an indicator about the display under user control, the method 
requiring correct entry by the user of a predetermined security code as 
a prerequisite to access, characterised in that; 

the user is presented, via the display, with a first pattern 
comprising a start point and a plurality of target points arranged related 
thereto, and the security code comprises a predetermined sequence of 
the target points; 

the user is required to move the indicator through the 
predetermined sequence of target points whilst display of the indicator 
is inhibited; and 

on determining that the indicator has been moved through 
a sequence of target points, an indication is provided to the user if that 
sequence does not correspond to the predetermined sequence. 

2. A method as claimed in Claim 1, wherein the first pattern 
further comprises an end point, and the determination that the indicator 
has been moved through a sequence of target points occurs when the 
indicator is moved to the end point. 

3. A method as claimed in Claim 1 , wherein the user input 
means is operable to select items on the display when indicated by the 
indicator, and correct entry of the security code further requires 
selection of a predetermined one or ones of the target points in the 
predetermined sequence. 



wo 96/18139 



PCT/IB95/01035 



12 

4. A method as claimed in Claim 3, wherein for one or more 
target points of the first pattern, selection of that target point causes 
the first pattern to be changed to a second pattern of target points. 

5 5. A method as claimed in Claim 4, wherein the second 

pattern comprises the respective target points of the first pattern 
rearranged on the display. 

6. A method as claimed in Claim 4, wherein the second 
10 pattern includes one or more target points not included in the first 

pattern. 

7. A method as claimed in Claim 4, wherein the second 
pattern includes a start point and, on changing from the first pattern to 

15 the second pattern, the indicator is positioned at the start point of the 

second pattern. 

8. A method as claimed in Claim 1, wherein returning the 
indicator to the start point following movement to a target point restarts 

20 the users sequence input. 

9. A method as claimed in Claim 1 , wherein for successive 
attempts to enter the predetermined sequence, the relative positions of 
the target points of the first pattern are altered. 

25 

1 0. A method as claimed in Claim 1 , wherein the target points 
comprise alphanumeric characters or graphical symbols or a 
combination of the two. 
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11. A computer-based apparatus having access restricted by 
the method of Claim 1, the apparatus including a target point store 
holding data specifying the respective locations of the target points on 
the display; a security code store holding at least one security code; 

5 first comparator means arranged to receive an identification of current 

indicator position, compare this with the target point location data from 
the target store, and output an identification of a currently indicated 
target point; and second comparator means arranged to receive a 
sequence of the identifications from the first comparator means, 

10 compare that sequence with the code in the security code store, and 

output one or more signals indicating whether or not there is a match. 

1 2. An apparatus as claimed in Claim 1 1 , wherein the target 
point store holds a plurality of target point arrangements, the apparatus 

15 further comprising pseudo-random selector means operable to select 

which of the plurality of target point arrangements is to be displayed. 
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